NRC FORM 464 Part I (OIG) 

(09-20’S) 


U.S. NUCLEAR REGULATORY COMMISSION I NRC 


RESPONSE NUMBER 




RESPONSE TO FREEDOM OF 
INFORMATION ACT (FOIA) REQUEST 


2019-000322 


RESPONSE 
TYPE \y 


REQUESTER: 


Emma Best 


8/7/2019 


DESCRIPTION OF REQUESTED RECORDS: 


Records, during the time period, Januarj 1, 1996 through June 30, 2016, mentioning or describing audits, reviews, 
investigations, or reports regarding the state of the agency's cybersecurity program vis-a-vis potential attacks, or audits or 
investigations conducted in the wake of a suspected or actual cyber attack, hacking incident or breach. 


PART I. - INFORMATION RELEASED 

^ The NRC has made some, or all, of the requested records publicly available through one or more of the following means: 

— (1) https://www.nrc,gov: (2) public ADAMS. https://www nrc.gov/readinQ-rm/adams html : (3) microfiche available in the NRC Public 
Document Room; or FOIA Online, httos://folaonline.regulat ions gnv/fnia/antinn/piihlir./hnrnA 

I I Agency records subject to the request are enclosed 

□ Records subject to the request that contain information originated by or of interest to another Federal agency have been referred to 
that agency (See Part I D - Comments) for a disclosure determination and direct response to you 

I /1 We are continuing to process your request. 

I / I See Part I D - Comments. 


PART I.A - FEES 



I I You will be billed by NRC for the amount indicated. 
I I You will receive a refund for the amount indicated. 

I I Fees waived. 


I I Since the minimum fee threshold was not 
met, you will not be charged fees. 

I I Due to our delayed response, you will not be 
— charged search and/or duplication fees that 
would otherwise be applicable to your request. 


PART I.B ~ INFORMATION NOT LOCATED OR WITHHELD FROM DISCLOSURE 

I I We did not locate any agency records responsive to your request Note: Agencies may treat three discrete categories of law 

— enforcement and national security records as not subject to the FOIA ("exclusions"). See 5 U.S.C. 552(c). This is a standard 
notification given to all requesters; it should not be taken to mean that any excluded records do, or do not, exist. 

I I We have withheld certain information pursuant to the FOIA exemptions described, and for the reasons stated, in Part II. 

1^ Because this is an Interim response to your request, you may not appeal at this time. We will notify you of your right to appeal any of 

— the responses we have issued in response to your request when we issue our final determination. 

I I You may appeal this final determination within 90 calendar days of the date of this response If you submit an appeal by mail, 

— address it to the FOIA Officer, at U S Nuclear Regulatory Commission, Mail Stop T-2 F43, Washington, D C 20555-0001 You may 
submit an appeal bye-mail to EOlA.resourceig/nrc.Qov . You may fax an appeal to (301)415-5130. Or you may submit an appeal 
through FOIA Online, https .'/foiaonline.regulations gov/foia/action,'public ,'home Please be sure to include on your submission that it 
is a “FOIA Appeal" 


PART I.C - REFERENCES AND POINTS OF CONTACT 

You have the right to seek assistance from the NRC's FOIA Public Liaison by submitting your inquiry at 
http.s://www.nrc.gov/reading -rm/foia/contact-foia. html. or by calling the FOIA Public Liaison at (301) 415-1276. 

If we have denied your request, you have the right to seek dispute resolution services from the NRC's Public Liaison or the Office of 
Government Information Services (OGIS). To seek dispute resolution services from OGIS, you may e-mail OGIS at ogis@nara.oov. send 
a fax to (202) 741-5789, or send a letter to: Office of Government Information Services, National Archives and Records Administration, 
8601 Adelphi Road, College Park, MD 20740-6001 For additional information about OGIS, please visit the OGIS website at 
https : //WWW. a rchives. qov/oq is. 
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PART I.D - COMMENTS 


Upon receipt of your request, the FOIA Office reacheij out to clarify/confirm the scope of your request. As we didn't hear 
from you, we have interpreted your request to ask for audit or investigation reports regarding the state of the U.S. Nuclear 
Regulatory Commission's cyber security program, including any such reports conducted in the wake of a suspected or 
actual cyber attack, hacking incident or breach. Please note that the Office of Inspector General [OIG] did not locate any 
reports before 2005. The OIG generally posts its audit reports on the NRC website; https://www.nrc.gov/reading-rm/doc- 
collections/insp-gen/. To facilitate your search, we have listed the audit reports response to your request herein: 

OIG-05-A-21, Independent Evaluation of NRC's Implementation of the Federal Information Security Management Act 
(FISMA) for FY2005 (ML052850420) - REDACTED 

OIG-05-A-18, System Evaluation of Security Controls for Standalone Personal Computers and Laptops (ML052770193) 
OIG-06-A-06, Audit of NRC's Integrated Personnel Security System (ML060240406) IS THIS SAME AS "IPSS 2005"? 
OIG-06-A-26, Independent Evaluation of NRC's Implementation of the FISMA for FY2006 (ML062750228) 

OIG-07-A-19, Independent Evaluation of NRC's Implementation of the FISMA for FY2007 {ML072710196) 

OIG-08-A-18, Independent Evaluation of NRC's Implementation of the FISMA for FY2008 (ML082700765) 

OIG-08-A-06, Memorandum Report: NRC's Planned Cybersecurity Program (ML080790426) 

OIG-09-A-11, Evaluation Report: Information System Security Evaluation of the Technical Training Center - Chattnooga, T 
(ML092040108) - REDACTED 

OIG-10-A-04, Independent Evaluation of NRC's Implementation of the FISMA for FY2009 (ML093210372) 

O1G-10-A-18, Assessment of NRC's Wireless Devices (ML102600409) - REDACTED 

OIG-11-A-03, Independent Evaluation of NRC's Implementation of the FISMA for FY2010 (ML103130451) 

OIG-12-A-04, Independent Evaluation of NRC's Implementation of the FISMA for FY2011 (ML113130308) 

OIG-13-A-03, Independent Evaluation of NRC's Implementation of the FISMA for FY2012 (ML12313A195) 

OIG-13-A-08, Independent Evaluation of NRC's Use and Security of Social Media (ML13023A007) 

OIG-13-A-09, Audit of NRC's Progress in Carrying out the '25 Point Implementation Plan to Reform Federal Information 
Technology Management' (ML13023A105) 

OIG-13-A-19, Memorandum Report: Audit of NRC's Information Technology Readiness for Three White Flint North 
(ML13154A415) 

OIG-14-A-04, Audit of NRC's Information Technology Governance (ML13343A244) 

OIG-14-A-15, Audit of NRC's Cyber Security Inspection Program for Nuclear Power Plants (ML14127A138) 

OIG-15-A-02, Independent Evaluation of NRC's Implementation of the FISMA for FY2014 (ML14323A321) 

OIG-15-A-17, Audit of NRC's Web-Based Licensing System (WBL) (ML15180A203) 

OIG-16-A-03, Independent Evaluation of NRC's Implementation of the FISMA for FY2015 (ML15316A491) 

OIG-16-A-07, Audit of NRC's Network Security Operations Center (ML16011A319) 

OIG-16-A-15, Independent Evaluation of the Security of NRC's Publicly Accessible Web Applications {ML16153A074) 
OIG-16-A-18, Cybersecurity Act of 2015 Audit for NRC (ML16221A578) 

OIG-17-A-03, Independent Evaluation of NRC's Implementation of the FISMA for FY2016 (ML16313A140) 

OIG-17-A-15, Independent Evaluation of NRC's Implementation of the FISMA for FY2017 - Region III, Lisle, IL 
(ML17151A244) 

OIG-17-A-16, Audit of NRC's Adoption of Cloud Computing (ML17171A136) 

OIG-17-A-17, Independent Evaluation of NRC's Implementation of the Federal Information Security Management Act 
(FISMA) for FY2017 - Region I, King of Prussia, PA (ML17184A010) 

OIG-17-A-19, Evaluation of NRC's Network Storage Interruption (ML17208A031) 

OIG-17-A-22, Independent Evaluation of NRC's Implementation of the FISMA for FY2017 - Technical Training Center 
Chattanooga, TN (ML17229B479) 

OIG-17-A-25, Independent Evaluation of NRC's Implementation of the FISMA for FY2017 - Region IV, Arlington, TX 
(ML17263A196) 


[See next page for a continuation of the Comments Section] 
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